Dear all

Anyone knows the payload of the above rootkits? Or if you know where to get it, let me know.

Thanks.

http://lists.debian.org/debian-user/2003/debian-user-200306/msg00788.html

That's for tornV8. Not sure about the other one. `

Actually I pretty much wiped out t0rn v8. Still getting a positive (possible) on showtree rootkit. I did it by analysing chkrootkit and see what they check for and replaced/deleted those binaries/libraries and so on.

Will do so for showtree too.

4th person today to get this hrmms!!!?

Probably related to the cPanel issue yesterday. Who's the other 3?

Thanks for the link andrew. Didn't find it on google, and I missed a file or two. But the funny thing is that they don't seem to have started any of the backdoors. Oh well, back to work.

netstat -lntpe

brought up

tcp 0 0 0.0.0.0:21337 0.0.0.0:* LISTEN 0 104756549 11971/xntps


i then ran

ps auxf | grep 11971

which brought up


root 11971 0.0 0.0 1900 644 ? S 09:57 0:00 /usr/sbin/xntps -q


which happens to be the backdoor

also check

/etc/rc.d/rc.sysinit

at the very bottom you will see

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q


remove it

http://www.securityfocus.com/archive/1/357268/2004-03-09/2004-03-15/0

Nick says that's not an issue. :/

well nicks wrong, ive seen it in action

I tested. Didn't work on ours.

Update: I think our firewall cramp the trojan's style. Whoever ran it didn't even run any services. the files are there. That's about it. Not as bad as it seems now. On top of that, it's a server that we used to store offsite backups.

Probably should write a script for auto t0rn v8 removal. Or anyone want to save me the trouble :)

if you write a script for auto-removal let me know

scary to trust a machine after its been rooted, wow.

Originally posted by HP-Kevin
scary to trust a machine after its been rooted, wow.

Not if you know what you are doing ;)

If you knew what you were doing, you wouldnt have gotten rooted :)

scary stuff... you can get rid/reverse the actions of the rootkit maybe, but you never know if something else was modified or changed, or what sensitive information has been collected that could be used against you or your customers in the future. damn cyber-terrorists haha.

Well, it was a spare server so there's nothing of note in it. All the servers in used are fine. Cpanel simply got a lot to answer for with their buggy code :)

Like I said, if you know what you are doing, you would know what's modified or changed. ;)

Originally posted by HP-Kevin
If you knew what you were doing, you wouldnt have gotten rooted :)


How many times do i have to go around and say it.

You cannot gain 100% security, you can however gain increased security. Only way to gain 100% security is to remove the internet, and lock it up in a safe where no one can get to it. But even then its not secure because someone could crack the safe.

Besides this was a hole taken advantage of CPanels buggy code, nothing you could have done to help that. Someone is always ahead of you.

Exactly, people break into places that have security guards and manned 24/7. Anyone determined enough will be able to hack your servers.

That too. As the popular saying goes, the odds are against system admins. We have to patch 1001 holes and the hackers just need to find 1 to get in.

you guy's don't need to jump on me, look at my post I had a smile face I was joking around, hoy s*** this is WHT you're not impressing anybody, this is just discussion.

Back to my point, you cannot be sure you have a machine back to being secure after its been rooted, I really don't think an exploited box can be trusted anymore... sure you can reverse the root kit like i said, but you don't know how elaborate the hacker got, and maybe he downloaded all your users passwords... cracking them, most people use weak *** passwords, its a scary situation, removing the kit isnt the solution, thats all I was saying.


I agree there is no such thing as 100% security, I didn't say there was such a thing, but I think people don't take updates as serious as they should. Most of these "hackers" are just using the same info avalible to you,the sysadmin. the guy gets an email from cpanel or securityfocus or whereever saying exploit found, he was just faster at exploiting you then you were at protecting against the exploit.

be proactive not reactive thats all I'm saying, no need to light me on fire, thank you.